On one of my machines I run Win 2008 R2 server. It has been recently updated. My RDP session is limited to my IP address only and firewall is UP. Even though the main RDP post 3389 is blocked by firewall ( IP restricted) I am getting 1000's of attempts to break in on range of different ports from 1012 to 63000. I attached the snapshot of the issue. I am getting 1000's of every day so my log file fills up pretty quick.

I am not an expert on win Servers and all I can do at this point is to ad the culprit's IP address to blocked IP's in my firewall. But the IP changes after 500 attempts regularly. My question is, how do I prevent this so I do not have to monitor this server every day? Any help appreciated.

3 Answers
3

There are a few items in addition to what you've written that I would add.

Rename your admin account - Yes this might be a pain in the ass (especially if you've got services using the domain admin account) however this is a commonly attempted brute force username. Rename this account to something ambiguous that won't easily be guessed.

Don't use common names for accounts - If you audit the security logs you'll notice that a good chunk of the login names are common names (Administrator, admin, sql, sa, besadmin, guest, etc). Ensure that you are either not using these usernames, or if you need to use the username ensure it doesn't have the rights to logon to your remote desktop server

Enforce an Account Lockout Policy - With your administrator account renamed and your other service accounts renamed or not given access to the remote server, this will disable someone's attempt to login with that username. Make sure you set this as a local policy on the remote server and not a domain policy. Users will attempt the wrong password with your account for X amount of tries, get locked out and move on to the next IP address.

Investigate TS Gateway - TS Gateway allows for your RDP sessions to connect to your network via the standard SSL port of TCP 443. This will allow you to completely shut off port 3389 from the outside world. The one pitfall I've found with this technology is there is no free Mac RDP client that will allow you to utilize TS Gateway so if you have Macs you'll either need to pay for the client or disrergard TS Gateway.

Windows SSHD_Block - A talented SysAdmin by the name of Evan Anderson wrote a nice little VBScript that will block IPs attempting to Brute Force your Terminal server. Check it out HERE

Some things meant to be changed, some ignored. If my RDP connection is already restricted to my IP address only, the chance someone will break in through the port 3389 is less than slim.

It is a good idea to set one more allowed trusted IP address in the firewall rules in case my local IP address changes. (happens all the time, ISP providers often re-assign new IP addresses after some time) This way I still have a chance to RDP log in.

The IpPort 1214 (Source Port) or other ports between 1012 to 63000 or more are not the ports of the 2008 Server but they are the ports of the host computer which tried to log-in, so I am not being attacked on those ports! The only port under the attack is the firewalled 3389 (RDP port).

Also a account lockout policy is a good thing. The main problem with account lockout policies is that if someone knows the name standard for your users, it's far too easy to cause a DOS attack simply by locking out the user accounts by logging in with wrong passwords and that can be a problem if someone's out to cause problems for you.

There's also a software called Syspeace that automatically traces, blocks and reports every brute force attempt and I think it's really easy to use with its GUI.